Target Breach Involved Two-Stage Cyber-Attack: Security Researchers

New details have emerged in the massive compromise of retail giant Target's systems that resulted in the leak of tens of millions of credit- and debit-card accounts.

When Target acknowledged a breach of its systems on Dec. 19, the company released few details of the malware and tactics used in the attack. Over the last week, however, security researchers have discovered the likely malware used by attackers as well as the method by which the data thieves retrieved the stolen information from Target's network.

On Jan. 16, security firm Seculert revealed that it had found an Internet server that the attacker had used as a communications hub to retrieve information from a drop site within Target's own network. The attackers apparently collected the stolen data on the compromised Target server and then used a compromised Web site to grab the data starting Dec. 2, Seculert stated in the analysis.

"They were able to infiltrate (Target's) network and then setup several machines as part of the data exfiltration," Avi Raff, chief technology officer for Seculert, told eWEEK in an email interview. "As this is a two stage attack—steal PoS data from a machine not connected to the Internet, then move it to another machine which can send the data to an FTP (server)—it does seem to be sophisticated."

Starting on Dec. 2, the malware began transmitting the cache of stolen data outside the network to the collection server. Using a virtual private server in Russia, the attackers then downloaded the information. The stolen data totaled 11GBs, according to Seculert.

By the time the company was able to analyze the compromised Web server, the information had been deleted from the server, but the log files still revealed that massive amounts of information had been retrieved from an Internet address within Target's own network.

Symantec and other firms identified the program as a derivative of the BlackPOS malware, which among other features can "scrape" information from a compromised point-of-sale terminal's memory while it is unencrypted. Security researcher and journalist Brian Krebs first reported the Target breach and that security firms had identified the malware on Dec. 15.

The Target breach is not an isolated incident: The average retailer has seven infections communicating out from its network, according to an analysis of 1,035 distinct compromises at 139 retailers carried out by security firm BitSight. The most prevalent malware, known as Neurevt, accounted for nearly 250 of the infections, the company found.

Overall, the retail sector appears to have significant problems with malware, Stephen Boyer, co-founder and CEO of BitSight, stated in a blog post.

"What is clear is that many U.S. retailers had vulnerabilities that led to compromised systems that were or are currently under the control of a remote adversary," Boyer stated. "Not all of these organizations will be impacted equally and may not begin to rival the scale of the loss at Target; nevertheless, the evidence strongly suggests that Target and Neiman Marcus are not alone."